Trend Micro researchers uncovered a new variant of the notorious Mirai malware (detected by Trend Micro as Trojan.Linux.MIRAI.SMMR1) that uses multiple exploits to target various routers and internet-of-things devices. This version of Mirai was observed in honeypots the researchers set up to monitor IoT-related threats.

The Mirai variant was uncovered while doing research on another IoT malware Bashlite, which was updated to add capabilities like deploying cryptocurrency-mining and bricking malware. Compared to Bashlite, however, this Mirai variant doesn’t have those functionalities. Additionally, while both threats have backdoor and distributed-denial-of-service (DDoS) capabilities, the way they implement the commands is different.

Exploit for CVE-2013-4863 and CVE-2016-6255, remote code execution (RCE) vulnerabilities in MiCasaVerde Veralite; the exploit targets smart home controllers. Mitigations for CVE-2016-6255 were released in July 2016.

Exploit for CVE-2014-8361, a Miniigd UPnP SOAP command execution vulnerability; the exploit targets devices with vulnerable Realtek software development kits (SDKs). The flaw was patched in May 2015.

An arbitrary command execution vulnerability (CVE-2017-17215) in Huawei Router HG532, patched in February 2018. This security flaw is also exploited by other IoT botnet malware Satori and Miori.

A remote code execution (RCE) flaw in Linksys E-Series routers that was also exploited by TheMoon, one of the earliest IoT botnet malware.

An RCEexploit for the ThinkPHP 5.0.23/5.1.31, an open-source web development framework. Trend Micro researchers also observed the Hakai and Yowai botnet malware exploiting the flaw to breach web servers.

Apart from the use of multiple exploits, this version of Mirai retains its backdoor and DDoS capabilities. Mirai gained notoriety for its use in attacks that knocked high-profile websites offline and causing service outages. Since its emergence, it’s become a perennial threat that widely affects IoT devices, and it also sees continuous updates with more capabilities or functions. For example, this Mirai variant also uses credentials — for its dictionary attacks (using preprogrammed usernames and passwords) — that aren’t present in other or older versions of Mirai: videoflow, huigu309, CRAFTSPERSON, ALC#FGU, and wbox123.

Securing routers and devices against threats like Mirai

Mirai doesn't just adversely affect the privacy and security of IoT devices and data stored in them. It can also take control of infected devices and make them part of the problem. While IoT device manufacturers play important roles in securing these devices, users and businesses should also adopt good security practices to defend against threats like Mirai, such as:

Choosing a reliable manufacturer that consistently patches its products.

Regularly updating the device’s (e.g., routers) firmware and software as well as credentials used to access it.

Encrypting and securing the connections that devices use.

Configuring the router to make them more resistant to intrusions.

Disabling outdated or unnecessary components in devices and using only legitimate applications via trusted sources.

Deploying tools that provide additional security especially to home networks and devices connected to them.

Trend Micro Smart Home Network™ provides coverage to many of the vulnerabilities cited in the article via these rules:

Analysis and insights by Augusto Remillano II, Jakub Urbanec, Byron Galera, and Mark VicenteUpdated as of April 10, 2019, 7:57 PM EDT to include the rules in the Trend Micro Smart Home Network solution.

2019 SECURITY PREDICTIONS

Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape.View the 2019 Security Predictions